Given this story: www.abovetopsecret.com... which most of us suspected was happening anyway, I've been considering some options for our members.

First, you should know that we don't retain traffic logs any longer than is needed to compile aggregate traffic/performance reports. So it's impossible to engage in any review of our traffic history to reveal specific visit patterns.

One of the new ideas which is under consideration is to initiate SSL access for logged-in members, perhaps with a minimum of posts (maybe 20). This would place all ATS access (for members) under encrypted HTTPS protocol.

There are, of course, issues with this idea. Site performance may slow and we wouldn't even "go there" until our next round of hardware upgrades is complete. And we would likely use an open source SSL solution (we strongly support all open source projects) which would not be the most secure option.

I'd like your feedback on this idea... would you give up a slight performance hit in favor of encrypted communications with ATS?

Or, perhaps just the page to create a new thread or post replies should be under an SSL secure certificate.

Your thoughts?


[edit on 12-4-2006 by SkepticOverlord]

I have to say: for such an enormous forum it's surprisingly fast. It would be a pitty if that speed goes down.

I would really like that + secure login page. While I have a feeling that the NSA can break SSL, and PGP etc.. it takes time to do and I don't think they will bother decrypting everything. And it would be much easier on the servers.

Not to mention I'd personally be more comfortable posting from a wifi hotspot if my posts were encrypted.

Oh and ditto on the open source comments. (Linux bigot here)

If the content of forums and threads is still visible to the general lurking public, what benefit is SSL for anything other than u2u's or "special" areas?

In other words, what's the point of encrypting posts if they are ultimately un-encrypted on a public forum?

NC

[edit on 12-4-2006 by NotClever]

I think its a good idea, and we should at least give it a try.

I know nothing about the technicalities of this, but "protection" seems like a very appealing plan. If it can be done with minimal expenses to ATS and undone if it doesnt work, i think you should do it.

Thanks for being on top of the times!!!!

I think it would be a good idea to have it as an option. Maybe not as a requirement but as a choice the user makes. Something like a standard/secure radio button near the login box. Thanks for looking out for us.



[edit on 12-4-2006 by fingapointa]

I have to say my primary security concern with ATS is the mundane issue of the "openness" of the forums, in that everything said.. if not your actual logs... are open to spiders from google and other search engines to be catalogued for posterity. Perhaps this is just as much a benefit as it is a concern though... I understand there is the secret forum, and I think that's a good idea... It's not so much hackers I'm worried about as it is the possibility that one day, in the near or far future, there may be a way to easily identify us all, and then look up our postings... employers, insurance companies, the feds, who knows who. For some this may not be a concern, but I think there's something to be said for a truly anonymous forum.

I also wonder (and I rarely like to think of myself as a shrill, 'think of the children' sort) but, oftentimes younger sorts who may not know the exact consequences of having their comments... that they think are anonymous... becoming non-anonymous in the future, for whatever reason (and I know ATS management would take every effort to prevent such, so this is not any kind of indictment of them/yourselves). As you can see I've only given this a small amount of thought, but, it is a concern. We don't know how long ATS is going to be around, and I wonder if, say, the angry 16 year old of today who gets a job with the FBI 10 years from now, might have to deal with, at the least, some embarassment, if not a black mark on his record, all because someone in that era was handy with a search engine.

Maybe some way of making all posts "hidden" unless someone checks a box to make them spider-readable?

On the other hand, I know ATS is a public forum, and that has always come with a certain assumption of risk. I guess the trade-off is publicity vs. secrecy though, and there's a lot to be said for either. Having your posts reach a large audience is a nice thing too.

As for the original topic, at the end of the day I'd be willing to sacrifice some speed for security, absolutely.

[edit on 12-4-2006 by koji_K]

[edit on 12-4-2006 by koji_K]

Same here, I was thinking a very small fee in the ATS "shop", to access the "secure" features. That way, people on Dial Up, or in a hurry, won't have to give up performance, but can if they feel the need for extra security.

Good idea SO

Public Privacy

I'm not sure I see a need for SSL encryption all around.

With the exception of a few private forums like RATS and the staff forums, ATS is publicly-accessible. Since the final destination of most posts is a thread anyone in the world can look at anyway, I don't see a strong need for post encryption per se.

Even for the private forums, I frankly haven't seen anything that should worry any government -- or ATSers, should the government gain access to it. As much as I love my fellow members, the truth is that from a national security standpoint, we're rather boring.

So for posting and general member access (which consists mostly of browsing public forums anyway), I'm not seeing a driving need or anything that would justify a performance hit -- unless I'm overlooking something.

Low Profile

If I were to look at an area of ATS security that I would want to upgrade, it would be the member login process and profile data.

The login process controls access to member account data and guards against account hijacking and misuse.

The member profile data contains the sole "hard" link back to a user's identity: an email address.

Thus I see the member's login and profile data as the most important member data to protect, and it may make some sense to beef that up with SSL and perhaps other schemes as appropriate.

However, for everything else, I think cookie-based security is probably fine. It's not like ATS is an online bank.

Backstage Pass

Another area worthy of ensuring a high level of security for would be all access by staff members: moderators, super-mods and admins.

Any form of interception of any of these accounts or access points would have grave consequences for the security and integrity of the site. So for staff accounts, full-time https might be a good idea.

Also, being a paranoid maniac like I am, I think anything that can ensure the safety of the ATS databases is of utmost importance. If we lose our data, we're gone.

My impression is that there is already a great deal of care taken with the data, but there's no such thing as "too cautious" when it comes to the database at the heart of our online community.

Public Thoughts

My advice is to go for the "low-hanging fruit" for ATS security concerns and aim for things that can be tightened up with minimal risk or performance hits, and work from there.

Securing member logins, member data, staff access and database security/integrity are my first recommendations.

My opinion.

Majic pretty much said everything (and more) I was going to say. It basically comes down to: Is there a real need for high-security? How many of us really share the kind of Top Secret Area 51 Classified information that could land us in trouble with any sort of Government agency? Personally I have nothing to hide, and in general most members don't, either. We're just paranoid, and we like to know that "they can't get us".

I sit on the other side of the planet, and it'll get a bit frustrating if the load speed slows down more. (And it's actually lightning-fast considering everything.) The moment I have to give my Credit Card number to view ATS, I'll give my full support for high security. Right now, I'm not concerned about Big Brother.

This post will self-destruct in 5 seconds...

I'm not worried really, I'm sure they know who most of us are anyway. I will be worried when they start rolling in the busses to those detainment centres.

Lets face it, if you're going to be on the list, you're probably already on it.

That's OK though, I don't mind giving up my freedom for safety, please oh wonderful government, protect me from myself, and the silly things I might say and do.

I love watching the 5 o'clock news and being told what to think, as well as Australian Idol, it's so important to me to find out who got eliminated this round.

I love the idea that it's cool to be a fool, so don't stay in school, not when you can go home and watch your television programming.

Be a good little sheep, thinking for yourself is over-rated anyway, don't you want to fit in with the rest of the herd?

*zombie expression* "One of Us, One of Us, One of Us, One of Us."

Think of it like this.

Right now with the AT&T thing the government (or whoever) knows that Joe Smith 123 main st anytown, anystate 12345 (555)555-5555 account # 123456789 made a post that said "I don't like the government, the government is bad, someone should do something about the government"

Now if the posting page were encrypted they will know that Joe Smith saw a post that said that after an encrypted session. But that can't directly connect the post by NotClever to him.

IMHO people need to get with it and start protecting themselves online.

I really don't think there is a need for more security here at ATS.

I know the cruel, evil, unjust, phsyco u.s. government with the evil dictator Bush is watching us here at ATS.

I know, "they" are tapping my phones, looking at the web sites i visit, blah blah blah.

Everyone beware, "they" are here. I think the name of this site should be change to I'm paronoid.com

If anyone from the government is looking at ATS - it is for COMEDY RELIEF.

I would love for the government to show up at my door and say, "you posted a comment against the US government on ATS, you have to come with us".

Sounds more like Star Trek III, "Khan, I have the secret of Genesis, but your gonna have to come down here to get it", You're gonna have to come down here!!!!".

I can't remember when i laughed so much.

Well, they're not getting that type of information from data packets. However, they can discover that "Cug" is possibly in S. Bend IN, was born in Jan. of 1968, and has a possible interest in the occult.

That's from 15 seconds. Imagine a team of spooks and 24 hours looking for you now.

NC

I myself do not think it is needed - with the exception of RATS. I publically state my name, where I went to College, where I am at Uni, the name of the town I live in and even give out my MSN on the bottom of the posts. Which is my real name...and I honestly believe the Government is tyranical in nature.

The problem is, if we do live in a state of fear they've already won. After all, half the battle for ones mind. Furthermore, anything that could limit the access to non-members to information, I myself would find more offencive than my IP, Name, etc, being kept private. We're here to help one another...

Edit: In fact, maybe it is about time more people who have problems with the Government say it...nothing ever gets done behind closed doors, by people complaining...

[edit on 12/4/2006 by Odium]

Why do I get a funny feeling about this, I mean it sounds like a good idea and I'm sure it most likely is. But give up your freedom for security sounds like Bush and the boys trying to protect us from those nasty terrorists. Only in this case it is to protect us from those nasty Bush terrorist.

Anyway back to reality I know we are not giving any freedom up, and believe it would be a good idea.



[edit on 12/4/2006 by Sauron]

What would we be protecting ourselves against? Our right to free speech?

If you're afraid of exercising your rights, you've already lost them!

If your afraid of the consequences of anything you write on this or any other public medium then maybe it's time to put partisanship aside and act? Or are you afraid of being labelled one of those namby pamby "activists"?

Amazing how far we have travelled down the road to tyranny in the last decade isn't it? And the only thing we have to do to let it happen is nothing.

Hiding behind a wall of encryption is equivalent to living in gated communities in fear of the big bad world or demanding that a wall be built at the borders to keep the "bad people" out (or is that keep the good people in?).

To paraphrase a famous quote: "Those who would trade performance for security deserve neither".

I really do hope the powers that be are reading this and other sites looking for truth, because maybe then they can get a clue and learn something.
.

Edit: brain fart

[edit on 4/12/2006 by Gools]

Do just enough to demonstrate you're serious about security without getting too-cryto-complicated and even with a minor perf hit and I'd be even more pleased with ATS.
Whole darn planet seems logged anyway but it would serve to improve member confidence and draw out some of the lurkers and others who might not otherwise seek participation.
Great idea.

This is my primary reason for floating this idea. I'm not certain, in the end, that putting portions of ATS under a secure socket layer for logged-in members would amount to any real improvement in overall privacy. However, it represents our continued concern in making sure we respond to the needs and desires of our members, and we've always been proactive in that regard.

I apologize, but I really am not clear as to what the problem is.
This is a public forum which anyone can see who posted what.

Your post mentioned the ability to reveal specific visit patterns...Im not sure what good this would do anyone (even the government.)

Any information, regardless, Im sure can be obtained from government(s) without a problem.

Gods Peace

dalen